What is local.blackjack from Netstat?
Question
When running netstat
I noticed the suspicious name blackjack
. I wonder if it's malware.
PROMPT> netstat -v
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state) rhiwat shiwat pid epid state options
tcp6 0 0 nameofmachine.local.blackjack fe80::c55b:ddf6:.13569 ESTABLISHED 131072 131072 476 0 0x0102 0x00000204
tcp6 0 0 nameofmachine.local.1024 fe80::c55b:ddf6:.1024 ESTABLISHED 131072 131072 476 0 0x0102 0x00000204
Looking up the pid 476
PROMPT> ps ax | grep 476
476 ?? S 0:19.94 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
So the process that owns the address seems to be identityservicesd.app
, which is an Apple process. This is where my trail ends.
There are other mentions of .blackjack
occurring on macOS, see this unanswered Reddit question.
Question: Is it malware?
Solution
By giving an extra -n
parameter to the netstat
command, reveals the port number.
This reveals that blackjack
correspond to the port 1025
.
PROMPT> netstat -anv
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state) rhiwat shiwat pid epid state options
tcp6 0 0 fe80::c999:dc6f:.1025 fe80::c55b:ddf6:.13569 ESTABLISHED 131072 131072 476 0 0x0102 0x00000204
tcp6 0 0 fe80::c999:dc6f:.1024 fe80::c55b:ddf6:.1024 ESTABLISHED 131072 131072 476 0 0x0102 0x00000204
In the past, port 1025 seems to have been used for something named network blackjack. Nowadays I doubt that it's still being used for this purpose.
My conclusion is that identityservicesd
running on port 1024+1025 is harmless.
Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange